Zeek
LogZilla App Store application: Zeek
Overview
Zeek is an open-source network security monitoring tool consisting of a suite of monitoring applications divided into modules. Zeek provides comprehensive network traffic analysis, protocol detection, and security monitoring capabilities for enterprise networks.
App Function
The Zeek app processes syslog messages in JSON format from various Zeek modules. The app extracts relevant data fields from JSON messages and creates user tags for network security analysis and monitoring.
The Zeek modules (and whether they are processed by this rule) are:
| Processed | Module | Description |
|---|---|---|
| ☑ | conn | TCP/UDP/ICMP connections |
| ☑ | dce_rpc | Distributed Computing Environment/RPC |
| ☑ | dhcp | DHCP leases |
dnp3 | DNP3 requests and replies | |
| ☑ | dns | DNS activity |
| ☑ | dpd | Dynamic protocol detection |
| ☑ | files | File analysis results |
| ☑ | ftp | FTP activity |
| ☑ | http | HTTP requests and replies |
irc | IRC commands and responses | |
| ☑ | kerberos | Kerberos |
modbus | Modbus commands and responses | |
modbus_register_change | Tracks changes to Modbus holding registers | |
mysql | MySQL | |
| ☑ | ntlm | NT LAN Manager (NTLM) |
| ☑ | ntp | Network Time Protocol |
radius | RADIUS authentication attempts | |
rdp | RDP | |
rfb | Remote Framebuffer (RFB) | |
| ☑ | sip | SIP |
smb_cmd | SMB commands | |
| ☑ | smb_files | SMB files |
| ☑ | smb_mapping | SMB trees |
| ☑ | smtp | SMTP transactions |
snmp | SNMP messages | |
socks | SOCKS proxy requests | |
| ☑ | ssh | SSH connections |
| ☑ | ssl | SSL/TLS handshake info |
| ☑ | stats | Memory/event/packet/lag statistics |
| ☑ | syslog | Syslog messages |
| ☑ | tunnel | Tunneling protocol events |
| ☑ | weird | Unexpected network-level activity |
| ☑ | x509 | X.509 certificate info |
Vendor Documentation
Parsed Metadata Fields
The Zeek app extracts user tags from various Zeek data fields. Currently used tags include:
| Used | Zeek Field | Tag Name |
|---|---|---|
| ☑ | domain | Domain |
| ☑ | id.orig_h | SrcIP |
| ☑ | id.orig_p | SrcPort |
| ☑ | id.resp_h | DstIP |
| ☑ | id.resp_p | DstPort |
| ☑ | operation | Operation |
| ☑ | rcode_name | rCode Name |
| ☑ | status_msg | Status Message |
Note: The Zeek app supports many additional potential user tags based on available Zeek data fields. Contact LogZilla support for information about enabling additional tags for specific use cases.
High-Cardinality (HC) Tags
SrcIPDstIPDomainStatus Message
Log Examples
Connection Log - UDP DNS Traffic
json{
"ts": 1591367999.305988,
"uid": "CMdzit1AMNsmfAIiQc",
"id.orig_h": "192.168.4.76",
"id.orig_p": 36844,
"id.resp_h": "192.168.4.1",
"id.resp_p": 53,
"proto": "udp",
"service": "dns",
"duration": 0.06685185432434082,
"orig_bytes": 62,
"resp_bytes": 141,
"conn_state": "SF",
"missed_bytes": 0,
"history": "Dd",
"orig_pkts": 2,
"orig_ip_bytes": 118,
"resp_pkts": 2,
"resp_ip_bytes": 197
}
SSL/TLS Connection Log
json{
"ts": 1598377391.921726,
"uid": "CsukF91Bx9mrqdEaH9",
"id.orig_h": "192.168.4.49",
"id.orig_p": 56718,
"id.resp_h": "13.32.202.10",
"id.resp_p": 443,
"version": "TLSv12",
"cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"curve": "secp256r1",
"server_name": "www.taosecurity.com",
"resumed": false,
"next_protocol": "h2",
"established": true,
"cert_chain_fuids": [
"F2XEvj1CahhdhtfvT4",
"FZ7ygD3ERPfEVVohG9",
"F7vklpOKI4yX9wmvh",
"FAnbnR32nIIr2j9XV"
],
"client_cert_chain_fuids": [],
"subject": "CN=www.taosecurity.com",
"issuer": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US"
}
SSH Connection Log
json{
"ts": "2020-09-16T13:29:23.245216Z",
"uid": "CzEmsljW9ooL0WnBd",
"id.orig_h": "35.196.195.158",
"id.orig_p": 53160,
"id.resp_h": "192.168.4.37",
"id.resp_p": 22,
"version": 2,
"auth_success": true,
"auth_attempts": 1,
"direction": "INBOUND",
"client": "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2",
"server": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3",
"cipher_alg": "[email protected]",
"mac_alg": "[email protected]",
"compression_alg": "none",
"kex_alg": "curve25519-sha256",
"host_key_alg": "ecdsa-sha2-nistp256",
"host_key": "a3:41:03:32:1f:8c:8e:82:92:9f:62:8c:38:82:d3:74",
"hasshVersion": "1.0",
"hassh": "ec7378c1a92f5a8dde7e8b7a1ddf33d1",
"hasshServer": "b12d2871a1189eff20364cf5333619ee",
"cshka": "[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa",
"hasshAlgorithms": "curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected];[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,[email protected],zlib",
"sshka": "ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519",
"hasshServerAlgorithms": "curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1;[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected];[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,[email protected]"
}
Zeek Server-Side Configuration
Enable JSON Logging
The LogZilla Zeek app requires JSON format logs. Enable JSON logging on your Zeek installation:
-
Edit
/opt/zeek/share/zeek/site/local.zeekand add:text# Output in JSON format @load policy/tuning/json-logs.zeek -
Deploy the configuration:
bashzeekctl deploy -
Verify JSON format is enabled:
bashtail -1 /opt/zeek/logs/current/conn.logOutput should be JSON format:
json{"ts":1641949013.6772,"uid":"CX1l7X34hCbGkWGlB6","id.orig_h":"192.168.10.107","id.orig_p":36278,"id.resp_h":"192.168.10.255","id.resp_p":32412,"proto":"udp","conn_state":"OTH"}
Log Ingestion
HTTP Event Receiver
LogZilla receives Zeek logs via HTTP/HTTPS using the HTTP Event Receiver, which provides:
- Better performance and reliability
- Native JSON support
- Built-in authentication
- Automatic batching and buffering
Configuration Method:
Configure syslog-ng on your Zeek server to forward JSON logs to LogZilla's
/incoming endpoint. This approach provides proper batching, error handling,
and reliability for production environments.
Quick Test:
bashcurl -H 'Content-Type: application/json' \
-H 'Authorization: token YOUR_GENERATED_TOKEN' \
-X POST \
-d '{"ts":1641949013.6772,"uid":"CX1l7X34hCbGkWGlB6","id.orig_h":"192.168.10.107"}' \
'https://your-logzilla-server/incoming/raw/zeek'
Production Setup:
For production Zeek deployments, configure syslog-ng to forward logs with proper batching and error handling. See Syslog Relays - HTTP/HTTPS Configuration for complete setup instructions.